Vulnerability Title: Authenticated iControl REST in Appliance mode vulnerability (CVE-2022-35243) CVE Identifier: CVE-2022-35243 Published Date: Aug 3, 2022 Updated Date: Jan 4, 2024 Vulnerability Description: An authenticated user with the Administrator role may be able to bypass Appliance mode restrictions using an undisclosed iControl REST endpoint. Security Advisory Status: Final Severity: High - Appliance mode only CVSSv3 Score: 8.7 Impacted Products and Versions: - BIG-IP (all modules): - Vulnerable: 16.1.0 - 16.1.2, 15.1.0 - 15.1.5, 14.1.0 - 14.1.4, 13.1.0 - 13.1.5 - Fixed: 17.0.0, 16.1.3, 15.1.5.1, 14.1.5, Will not fix for 13.x - BIG-IP SPK, BIG-IQ Centralized Management, F5OS-A, F5OS-C, Aspen Mesh, Traffix SDC: Not vulnerable Mitigation Actions: - Block iControl REST access through the self IP address - Block iControl REST access through the management interface Vulnerable Component or Feature: iControl REST Recommended Actions: Upgrade to a fixed version or apply temporary mitigations as described.